Resources

I_H8t3_P@ssw0rds!

By: Daniel Lindley (Network+, CISA)

Publication: The Kansas Banker
, December 2016

2016-12-31T14:00:00.0000000

Raise your hand if you are tired of constantly changing your password and sticking to whatever arbitrary rules seem to be in place at the time. Okay, now put your hand down because you are most likely drawing unnecessary attention to yourself, especially if you are in a coffee shop or on your couch at home surrounded by family. Everyone seems to grumble about password length and expirations, but the truth is: strong passwords are a necessary complication and their use isn’t going away anytime soon. If anything, password complexity guidelines are shifting to be even more stringent, although there may be some light at the end of the extremely long tunnel.

But first, let’s discuss guidelines as they stand today. Standard industry practice is a minimum password length of eight characters with a requirement for three-out-of-four character types (upper case, lower case, numbers, and symbols). Of course, it’s difficult to find exactly where these recommendations are listed, with the Payment Card Industry Data Security Standards (PCI DSS) being the only regulatory guidance to clearly state any requirements, and even then it stipulates a minimum of seven characters and a mixture of numeric and alphabetic characters, both of which are under the generally accepted best practice minimums. In addition, both the PCI DSS and industry best practices state user passwords must be changed every 90 days. Does all of this sound familiar?

Now that we know where we currently stand, let’s take a look at where password guidelines seem to be shifting. With regards to length, both Microsoft and the National Institute of Standards and Technology (NIST) now recommend a minimum of 14 characters. Right now, you might be throwing your hands up in exasperation or making a shocked face, but once again please stop lest you are approached while drinking your latte or receive disapproving looks from your kids. A jump to 14 characters seems significant, but there are some options to help with this transition, which we’ll discuss below. Before we get there, however, we need to be aware of any benefits or pitfalls associated with this change.

Let’s start with the obvious pro: a longer password makes it more difficult for your account to be cracked, assuming the password change isn’t from “Password” to “Password123456” or “Bank1234” to “Bank1234567890.” If it is, you need to consider the real function of a password and the value of the information your credentials protect. A second benefit, assuming it doesn’t clash with any regulatory guidelines like the PCI DSS guidance listed above, is that a stronger password can be changed less frequently. This isn’t to say if a 14-character minimum is implemented then the password expiration can be set to 365 days (or 365.25 days if you factor in Leap Year), but a period of greater than 90 days may be acceptable if the password complexity and strength is sufficient. Now for the cons, of which there are two that really stand out. The first downside associated with longer and more complex passwords is the increased desire to write it down, which violates the primary rule of password management. The second downside is the tendency to reuse strong passwords, especially when many websites are increasing their requirements. While this happens with passwords of any length, longer passwords seem more secure and feel safer to reuse, which is all well and good until one of the websites where your password was stored gets hacked.

The good news is there are some tips and tricks for those who want or need to make the switch to longer and more secure passwords. The first suggestion is to implement passphrases, which are simply short sentences that meet the length and complexity requirements set forth. Examples include the title of this article and “Long passwords are saf3r!” You could also make passwords from the first letter in every word found in the lyrics of your favorite song (or poem for the more cultured among us) or take the email approach and use the @ symbol to differentiate the purposes of your password (e.g. j0hnD03@targetsite or Jan3Sm1th@theBank). A final suggestion is to simply use a password manager like LastPass or KeePass to generate and maintain strong passwords, which comes with the added benefits of not needing to remember each ridiculously long password and having the required fields automatically populated with the stored credentials.

In summary, although password requirements are only going to become longer and more complex, there are steps you can take to not only simplify password implementation and management but to increase the security of your accounts as well.

Daniel Lindley is a Security and Compliance Consultant for CoNetrix. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cyber security needs of community banks. Offerings include: information security consulting, IT/GLBA audits, security testing, cloud hosting and recovery solutions, and tandem software, used by over 1000 financial institutions to help manage their information security programs, cybersecurity, and more. Visit our website at www.conetrix.com.